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DATA DISTRIBUTION 



The present invention relates to a data distribution system that provides 
controlled access to data. For example, the system might be used to provide access 
5 to multicast audio or video programme material for a limited period of time in return 
for pre-payment by the user. The invention is however by no means limited to use 
with multicast packet networks, and might also, for example, be used with other bulk 
data distribution channels, including storage media such as DVD (digital versatile 
disk). 

10 Multicasting techniques have been developed for use with the Internet that 

allow efficient distribution of data from a data source to a large number of receivers. 
However, the efficiency and scalability of existing multicasting protocols depend in 
part on the fact that the data source does not require any knowledge of the data 
receivers. This, however, presents problems when it is desired to establish a secure 

1 5 relationship between the data source and the receivers, for example so that streamed 
video data, such as a television programme, is sent only to subscribers who have 
paid to receive the programme. 

In general, such a secure relationship can be established by encrypting the 
data at the data source, and then controlling access by users to the keys required to 

20 decrypt the data. One simple approach, is to use a single session key for encrypting 
data. The session key remains unchanged until a new user wishes to access the 
data, or until one of the existing users is to be excluded. At that point, a new 
session key is required and that key has to be distributed to all the users. Even 
though the efficiency of the key distribution scheme can be improved to an extent by 

25 using a hierarchy of key, some only of which may need to be changed to exclude or 
include a particular customer, there is still inevitably with such schemes a significant 
transmission overhead associated with a new customer joining or leaving the group. 

In an alternative approach described in the present applicant's co-pending 
international patent application PCT/GB98/03753 (BT case: A25728AA/0) the data at 

30 the data source is divided into a series of application data units (ADUs) and a 
different key is used for each ADU. The keys are generated systematically as a 
sequence from an initial seed value. The seed value is also communicated to a 



secure module at each customer terminal, and that secure module controls the 
availability of keys to the end users. 

According to a first aspect of the present invention, there is provided a 
method of distributing data comprising: 



(a) 



encrypting a plurality of data units each with one of a sequence of 



keys; 



(b) communicating encrypted data units to a plurality of user terminals; 

(c) communicating at least one seed value to a user terminal; 

(d) generating from the seed value or values a sequence of keys greater in 
10 number than the number of seed values communicated to the user terminal; and 

(e) decrypting data units at the user terminal using the said sequence of 
keys, characterised in that in step (d) a sequence of keys constituting an arbitrarily 
doubly bounded portion of the sequence of keys of step (a) is generated, and in that 
the position in sequence of the lower and upper bounds of the said portion are 

15 determined by the at least one seed value communicated in step (c). 

The present invention provides a method of distributing data in which, as in 
the system disclosed in our above cited co-pending application, successive data units 
are encrypted using a sequence of different keys. However, the method of the 
present invention offers further significant advantages, in that the extent of the 

20 sequence of keys available to each user is not potentially unlimited, as in the earlier 
systems, but is doubly bounded, that is to say, the beginning and end of the 
sequence of keys available to the user are determined in advance. As will be further 
described below, the data sender, or a key issuing party acting on behalf of the data 
sender, can determine arbitrarily the starting point and end point and hence the 

25 length of the key sequence available to the user by selecting which seed values are 
sent to the user. For any desired portion of the sequence of keys there exits a set of 
seeds that will provide access to that portion and to that portion only. By providing 
the user with access to a doubly bounded set of keys, rather than a potentially 
limitless set of keys, the invention removes the need to have at each customer 

30 terminal a secure module under the control of the data sender to control the user's 
access to the keys. 

Preferably the sequence of keys used In step (a) is generated by: 



< 



O 
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(A) operating on one or more initial seed values and generating a greater 
number of intermediate seed values, which intermediate seed values 
blind the initial seed values: 

(B) further operating on the values produced by the preceding step and 
generating thereby a still greater number of further values, which further 
values blind the values produced by the preceding step; 

(C) iterating step (B) until the number of values produced is equal to or 
greater than the number of keys required for step (a). 

Preferably, the method includes: 

(i) operating on a root seed value with each of a set of different blinding 
functions thereby producing a plurality of further values; 

(li) operating with each of the set of different blinding functions on the 
further values produced by the preceding step; 

(iii) iterating step (ii) and thereby producing, by the or each iteration, a next 
successive layer in a tree of values; 

- (iv) in step (a), using as the sequence of keys values derived from the last 
iteration of step (ti); 

(v) in step (c), communicating to a customer at least one value from the 
tree below the root seed value, the position in the tree of the value communicated to 
the customer thereby determining the position and extend of the portion of the 
sequence of keys available to the customer for use in decrypting data units. 

A blinding function is a function which operates on an input value to produce 
an output value where, even when the function is known, the input value cannot 
readily be derived from the output value. The blinding function might comprise, for 
example, a cryptographic hash function such as MD5 (message digest number 5). 

The inventors have found that a particularly effective way of systematically 
generating a series of keys while facilitating easy control over the position and extent 
of the portion of the sequence made available to a user is to generate a tree of values 
by iterated operations using a set of different blinding functions. In the example 
described in further detail below, a binary tree formed from a pair of symmetrical 
blinding functions is used. One function is a right rotational shift followed by a hash 
function and the other function is a left rotational shift followed by hash function. 



This feature of the invention is not however limited to use with binary trees, but 
might also be implemented using ternary or higher order trees. 

Preferably in step (c), the seed values are communicated to the customer 
terminals via a communications network and, in this case, preferably the seed values 
5 are communicated to customer terminals from a plurality of key management nodes, 
which nodes are connected to the network at different respective locations. 

Another advantage of the present invention in its preferred embodiments, is 
that the process of distributing seed values to provide access to the encoded data 
can be devolved to a number of key management nodes at different locations some 
O or all of which may be remote from the data source. In this way the data control 
system is made readily scaleable for use with large numbers of receivers. 

Typically, the data units and the seed values will be distributed over the same 
communications network. However, this is not necessarily the case. For example, 
the data units may be distributed on a bulk data storage medium, such as DVD, with 
5 the seed values subsequently being communicated to the customers on-line via the 
Internet. It will be apparent, that these examples are given by way of illustration 
only, and that a variety of different implementations may be adopted. 

Preferably the seeds required by any receiver to construct the keys for a 
specific sub-range of the entire key sequence are communicated in an order that 
O implicitly identifies each seed, is which. In this case the indexes of the seeds are 
inferred from knowledge of the minimum and maximum value required and of the pre- 
arranged order for communicating seeds, without explicitly listing the index number 
of each seed. Preferably each encrypted data unit carries an unencrypted index 
number to identify to any receiver which key in the sequence should be used to 
5 decrypt that data unit. 

According to another aspect of the present invention, there is provided a 
method of encrypting data for distribution comprising: 

(a) operating on at least one root seed value with one or more blinding 
functions, thereby producing a plurality of further values; 
3 (b) operating with one or more blinding functions on the further values 

produced by the preceding step or on values derived therefrom; 

(c) iterating step (b) and thereby producing, by the or each iteration, a next 
successive layer in a tree of values; 
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(d) encrypting a plurality of data units using a sequence of key values 

derived from one or more of the layers generated by step (c). 
According to a further aspect of the present invention, there is provided a 
method of distributing data comprising encrypting a plurality of data units each with 
5 one of a sequence of keys and communicating the encrypted data units to a plurality 
of user terminals, characterised in that the sequence of keys is generated and 
allocated to application data units in accordance with a key construction algorithm, 
and in that copies of the key construction algorithm are distributed to a plurality of 
key managers so that, in use, receivers may obtain keys for access to an arbitrary 
10 portion of the data from a key manager without reference to any data sender or 
senders. 

This aspect of the invention provides an approach to data distribution in 
which key management can be devolved to a number of key management nodes, 
allowing the system to be scaled to encompass large numbers of users. 

15 According to another aspect of the present invention, there is provided a 

data carrier including a plurality of data units encrypted for use in a method in 
accordance with the preceding aspects. The data carrier might be, for example, a 
data storage medium such as a DVD disc, a region of computer memory, or a data 
transmission signal encoded with the data units. 

20 The invention also encompasses customer terminals, data servers and key 

managers for use with the invention, methods of using such devices and networks 
including such devices. 



Systems embodying the present invention will now be described in further 
25 detail with reference to the accompanying drawings in which: 

Figure 1 is a schematic of a network embodying the invention; 
Figure 2 is a diagram showing the architecture of a customer terminal for use 
with the network of Figure 1 ; 

Figure 3 is a diagram showing the architecture of a key management node for 
30 use with the network of Figure 1 ; 

Figure 4 is a diagram showing the architecture of a data sender for use with 
network of Figure 1 ; 



6 

Figure 5 is a diagram showing the format of a data packet transmitted on the 
network of Figure 1 ; 

Figure 6 is a diagram showing the distribution of keys via key management 

nodes; 

5 Figure 7 Is a diagram showing a bi-directional hash chain; 

Figure 8 is a diagram showing the generation of two blinding functions; 
Figure 9 is a diagram showing a binary hash tree; 
Figure 1 0 is a diagram showing a continuous binary hash tree; 
Figure 1 1 Is a diagram showing elements of a hybrid binary hash chain-tree; 
10 Figure 12 is a diagram showing a hybrid binary hash chain tree; 

Figure 13 Is a diagram illustrating the construction of the hybrid binary hash 
chain-tree; 

Figure 14 shows the sequence of growth of a binary hash chain-tree; 
Figure 1 5 shows a continuous binary hash chain-tree hybrid; 
1 5 Figure 1 6 shows elements of a second binary hash tree; 

Figure 1 7 illustrates the revealing and blinding of seed pairs in BHC-T; 
Figure 18 illustrates the revealing and blinding of seeds in the second binary 
hash tree; 

Figure 1 9 shows a multi-dimensional key sequence; and 

20 Figures 20a to 20e show a common model. 

A data communications system includes a data server 1 connected via a data 
communications network 2 to a number of customer terminals 3. Although for ease 
of illustration only a few customer terminals are shown, in practice the data server 1 
may communicate simultaneously with many terminals. In the present example, the 

25 data communications network 2 is the public Internet and is formed from a number of 
sub-networks 2a-2c Interconnected by nodes 4. The sub-networks and the 
associated routers support IP (Internet Protocol) multicasting. 

In the present example, the data server 1 Is a video server. The data server 
reads a video data stream from a mass storage device la and compresses the data 

30 using an appropriate compression algorithm such as MPEG 2. An encryption module 
in the data server 1 then divides the compressed video data stream Into application 
data units (ADUs). For example, each ADU may comprise data corresponding to one 
minute of the video signal. An encryption algorithm Is then used to encrypt the 
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ADUs with a systematically generated sequence of keys, a different key being used 
for each ADU. Suitable encryption algorithms include DES (data encryption standard) 
(US Federal standard FIPSPUB46)- This is a conventional private key algorithm. 
Seed values used in generating the sequence of keys are also communicated from the 
5 data server 1 to a number of key management nodes. The key management nodes 
are spread through the data communications network at different locations. In 
response to a request from one of the customer terminals, a key management node 
communicates to the terminal a number of seed values. Before issuing the seed 
values the respective key management node may carry out a cheeky for example, to 
10 establish that the relevant customer terminal has a right to access the requested 
data. For example, the customer may have requested access rights to a particular 
film being multicast from the video data server 1 . Where this film is made available 
on a pay-per-view basis, then the key management node is responsible for checking 
that the customer has an account with the operator of the video data server and has 
15 made the appropriate prepayment for the film. If these conditions have been met, 
then the key management node issues to the customer seed values selected to allow 
the customer to generate keys corresponding to the portion of the key sequence used 
at the data server to encrypt the ADUs making up the film. As will be further 
described below, the algorithms used for the generation of the key sequences are 
20 such that an appropriate selection of seed values can be used to provide access to an 
arbitrarily bounded portion of the original key sequence. 

Figure 2 shows the principal functional components of one of the customer 
terminals 3. A network interfece 22 communicates ADUs to and from the data 
communications network 2. The ADUs pass from the interface 22 to an access module 
25 23. By contrast with previous systems where the access module 23 may have been 
located within a separate secure module, for example, on a smart card, in systems 
embodying the present invention, the access module may simply be a software module 
running on the main processor of the customer terminals. The access module 23 
comprises a decryption module D, a key generation module K and a seed store SS. The 
30 seed store stores the seed values received from the key management node and 
processes those seed values using a key construction algorithm, such as those described 
in further detail below, to generate a series of keys. The series of keys has a start point 
and an end point determined by the seed values held in the seed store SS. Keys from 
this sequence are passed sequentially to the decryption module D. The decryption 
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module D decrypts a series of ADUs received from the interface 22. and passes these to 
an application layer module 24. This canies out further processing, for example using an 
MPEG2 decryption algorithm, and passes the resulting data to an output device, which in 
this example is a video display unit VDU 25. In a prefen-ed implementation, the interface 
5 22 may be embodied In hardware by an ISDN modem and in software by a TCP-IP 
(Transport Control Protocol - Intemet Protocol) stack. 

The customer terminal may be embodied in any one of a number of forms. For 
example, temninals may include personal computers with appropriate networi< Interfaces, 
intelligent mobile phones, and set-top boxes designed to provide Intemet access in 
0 conjunction with a television. . . 

Figure 3 shows the architecture of one example of a key management node for 
use In the networi< of Figure 1. The node communicates packets both with the data 
sender and with customer temninals or "receivers" via a TCP-IP stack. Packets are 
communicated over a secure sockets layer (SSL) 32, using a public key encryption 
5 algorithm in a conventional fashion. A key management application 33 receives seed 
_ values from data senders and issues seed values to customer tenninals In the manner 
-described in further detail below.-A data-store-330-assocIated-with the key management 
application-^-holds-the-seed-values- received from the or each data sender. Users 
interact with the key management application via a user Interface 34 that may. for 
example, use HTML (hypertext mari<-up language) and CGI to server web pages to 
customer terminals. 

Figure 4 shown the architecture of one example of a data sender for use In the 
networic of Figure 1. A data application 41 outputs data which. In the present example, 
comprises an MPEG2 video stream divided into application data units. The video 
programme material is derived from a store 410. The ADUs are passed to an access 
module 42. This includes an encryption sub-module, a key generation sub-module K and 
a seed store SS. The sub-module K generates a sequence of keys using randomly 
generated seed values in conjunction with, key construction algorithms such as those 
described in further detail below. Seed values may also be output from the access 
module 42 via a secure socket layer 43 and TCP-IP stack 44. Encrypted ADUs are also 
output via the TCP-IP stack 44. 

Both the data server and the key management nodes may be Implemented using 
commerdally available platfomis, such as COMPAQ Proliant™ servers or Sun 
Microsystems Enterprise 5000™ sen/ers. 



O 



Figure 5 shows the format of one of the data frames output by a data sender. 
This includes a data payload carrying the encrypted ADU, a key index kj and a session 
identifier SE. The key index and session identifier are sent in the dear. 

5 Typically the key values may be distributed to the customer terminals over the 

same communications network as that used for the distribution of the ADUs. 

The term "application data unit" (ADU) is used in this document to describe 
the minimum unit of data that is useful from a security or commercial point of view. 
The size of an ADU may vary according to the application and security required. It 

10 may be an initialisation frame and an associated set of "P-frames" in a video 
sequence, or it may be ten minutes of access to a network game. The ADU used for 
encryption may be different from that used at different layers of an application. For 
example, in the present example the ADUs have a different duration to the video 
frames processed by the MPEG compression algorithm, and a different duration again 

15 from the individual programme items purchased by customer. To enhance the 
performance of the system, an ADU may be only partially encrypted, with the 
remainder sent in the clear. "ADUTsfze may be varied through the duration of a stream 
dependent on the content. The size of the application data units is a primary 
determinant of system scalability if a million receivers where to join a multicast diata 

20 stream within fifteen minutes, but the ADU size was also 15 minutes, then this 
would only require one re-key event. Different key sequence construction algorithms 
will now be described in further detail. 

Sender'-decoupOed archltectajre 
25 The invention is not limited to use with a simple time-sequence as in the 

method of Figure 1. For example, the invention may be applied to a large-scale 
network game 

In such a game, the financial value of an ADU doesn't relate to time or data 
volume, but only to a completely application-specific factor. In this example, 
30 participation is charged per *game-minute\ a duration that is not strictly related to 
real-time minutes, but is defined and signalled by the game time-keeper. The game 
consists of many virtual zones, each moderated by a different zone controller. The 
zone controllers provide the background events and data that bring the zone to life. 
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They send this data encrypted on a multicast address per zone, but the same ADU 
index and hence key is used at any one time in all zones. Thus the whole game is 
one single secure multicast session despite being spread across many multicast 
addresses. Players can tune in to the background data for any zone as long as they 

5 have the current key. The foreground events created by the players in the zone are 
not encrypted, but they are meaningless without reference to this background data. 

Fig 6 shows data flows in such a game. Only flows relevant to game 
security and only those sent once the game is in progress, not during set-up, are 
shown. All players are sending data, but the figure only shows encrypting senders, S 

0 - the zone controllers. Similarly, only receivers that decrypt, R, are shown - the game 
players. A game controller sets up the game security, which is not shown in the 
Figure, but is described below. Key management operations are delegated to a 
number of replicated key managers, KM, that use secure Web server technology. 

The key to the secure multicast session is changed every game-minute (every 

5 ADU) in a sequence. All encrypted data is headed by an ADU index in the clear, 
which refers to the key needed to decrypt it. After the set-up phase, the game 
controller, zone controllers and key managers hold initial seeds that enable them to 
calculate the sequence of keys to be used for the entire duration of the game. 
Alternatively a staged set-up may be used. 

0 Game set-up 

1 - The game controller (not shown) unicasts a shared 'control session key' to all 
KM and S after satisfying itself of the authenticity of their identity. All S as well as 
all KM run secure Web servers so that the session key can be sent to each of them 
encrypted with each public key using client authenticated secure sockets layer (SSL) 
5 communications. The game controller also notifies all KM and S of the multicast 
address It will use for control messages, which they immediately join. 

2. The game controller then generates the initial seeds to construct the entire key 
sequence and multicasts them to all KM and all S, encrypting the message with the 
control session key and using a reliable multicast protocol suitable for the probably 

3 small number of targets involved. 

3. The game is announced In an authenticated session directory announcement 
as described in Mark Handley (UCL), "On Scalable Internet Multimedia Conferencing 
Systems", PhD thesis (14 Nov 1997) regularly repeated over multicast (not shown). 
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Authenticated announcement prevents an attacker setting up spoof payment servers 
to collect the game's revenues. The announcement protocol is enhanced to include 
details of key manager addresses and the price per game-minute. The key managers 
listen to this announcement as well as the receivers, in order to get the current price 
5 of a game-minute. The announcement must also specify which key sequence 
construction is in use. 

Receiver session set-uD, duration and termination 

1 . A receiver that wishes to pay to join the game, having heard it advertised in 
the session directory, contacts a KM Web server requesting a certain number of 

10 game-minutes using the appropriate form. This is shown as 'unicast set-up' in Fig 6. 
R pays the KhA the cost of the requested game-minutes, perhaps giving her credit 
card details, or paying in some form of e-cash or in tokens won in previous games. In 
return, KM sends a set of intermediate seeds that will allow R to calculate just the 
sub-range of the key sequence that she has bought. The key sequence constructions 

1 5 described in the next section make this possible efficiently. All this takes place over 
secure sockets layer (SSL) communications with only KM needing authentication, not 
R. 

2. R generates the relevant keys using the intermediate seeds she has bought. 

3. R joins the relevant multicasts determined by the game application, one of 
20 which is always the encrypted background zone data from one S. R uses the key 

sequence calculated in the previous step to decrypt these messages, thus making the 
rest of the game data meaningful. 

4. ' Whenever the time-keeper signals a new game-minute (over the control 
multicast), all the zone controllers mcrement their ADU index and use the next key In 

25 the sequence. They all use the same ADU index. Each R notices that the ADU index 
in the messages from S has been incremented and uses the appropriate next key in 
the sequence. 

5. When the game-minute index approaches the end of the sequence that R has 
bought, the application gives the player an 'Insert coins* warning before she loses 

30 access. The game-minutes continue to increment until the point is reached where the 
key required is outside the range that R can feasibly calculate. If R has not bought 
more game-minutes, she has to drop out of the game. 
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This scenario illustrates how senders can be completely decoupled from all 
receiver join and leave activity as long as key managers know the financial value of 
each ADU index or the access policy to each ADU through some pre-arrangement. 
There is no need for any communication between key managers and senders. 
Senders never need to hear about any receiver activity. If key managers need to 
avoid selling ADUs that have already been transmitted, they merely need to 
synchronise with the changing stream of ADU sequence numbers from senders. In 
the example, key managers synchronise by listening in to the multicast data itself. In 
other scenarios, synchronisation may be purely time-based, either via explicit 
synchronisation signals or implicitly by time-of-day synchronisation. In yet other 
scenarios" (e.g. "multicast ' distribution of commercial software), the time of 
transmission may be irrelevant. For instance, the transmission may be regularly 
repeated, with receivers being sold keys to a part of the sequence that they can tune 
in to at any later time. 

In this example, pre-payment is used to buy seeds. This ensures key 
managers hold no state about~their custorhers. This means they "can be infinitely 
replicated as no central state repository is required, as would otherwise be the case if 
seeds were bought on account and the customer's account status needed to be 
checked. 

Different method of key construction are now described. 
Key sequence construction 

In all the key sequence constructions below, the following notations are used: 

• b(v) is the notation used for a function that blinds the value of v. That is. a 
computationally limited adversary cannot find v from b(v). An example of a 
blinding or one-way function is a hash function such as the MD5 hash 
HETF RFC1321.1 or the standard Secure Hash 1 fNIST Sha-ll . Good 
hash functions typically require only lightweight computational resources. 
Hash functions are designed to reduce an input of any size to a fixed size 
output In all cases, we will use an input that Is already the same size as 
the output, merely using the blinding property of the hash, not the size 
reduction property. 

• bV) means the function b() applied repeatedly to the previous result, h 
times in all. 
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r(v) is any computationally fast one-to-one function that maps from a set of 
input values to itself. A circular (rotary) bit shift is an example of such a 
function. 



5 



c(vi, V2, ...) is a function that combines the values of Vi , V2 etc. such that 
given the result and all but one of the operands, the remaining operand can 
be trivially deduced. c() should also be chosen such that, if the bits of the 
operands are independent and unbiased, the bits of the result will also be 
independent and unbiased. The XOR function is a simple example of such 
a combinatorial function. c() should also ideally be the function that can be 



10 - — - used to trivially deduce the remaining operand, as is the case with XOR, 
that is: Vi = c( c(vi, vj. ...), Vz. ...)• 

A common model for all the constructions will be presented in Section 4.5, but it 
is clearer to introduce each scheme on its own terms first. 

15 

Bi-directional hash chain (BHCl 

The bi-directional hash chain construction only proves to be secure in a limited 

form, but we persist in describing it as the limited version forms the basis of a later 
scheme. There may also be scenarios where the unlimited form is of use: 
20 1. The sender randomly generates two initial seed values, v(O.O) & v(0,1). As a 



2. 



concrete example, we will take these values as 128 bits wide. 

The sender decides on the required maximum key sequence length, H 



3. 



The sender repeatedly applies the same blinding function to each seed to 
produce two seed chains of equal length, H. The values are therefore v(O.O) 
to v{H-1.0) and v(0,1) to v(H-1.1). As the temn H-1 appears frequently, for 
brevity, we will introduce another constant G*H-1. 



25 



Thus fomially, v(h,0) = b**(v(0,O)); v{h.1) = bV(0,1)) (4.1.1). 



30 



4. 



To produce key, ko, the sender combines the first seed from chain zero, 
v(p,0), with last firom chain.one, v(G,1). 



35 



To produce key, ki, the sender combines the second seed from chain zero, 

v(l,0), with penultimate from chain one, v(G-1,1) 

etc. 
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Formally, Iq, = c(v(h.O). v(G-h.1)) (4.1.2) 

Strictly, the stream cipher in use may not require 128b keys, therefore a 
shorter key may be derived from the result of this combination by truncation 
of the most (or least) significant bits, typically to 64b. The choice of stream 
cipher is innelevant as long as it is fast and secure. 

5, The sender starts multicasting the stream, encrypting ADUo (application 
date unit 0) with ko. ADU, with k, etc. but leaving at least the ADU sequence 
number in the dear. 

6. If the sender delegates key management, it must privately communicate 
the two initial seed values to the key managers. New initial seed pairs can 
be generated and communicated to key managers in parallel to streaming 
data encrypted with keys calculated earlier. 

A receiver reconstructs a portion of the sequence as follows: 

1 . When a receiver is granted access from ADUm to ADU„, tiie sender (or a key 
manager) unicasts seeds v(m,0) and v(G-n, 1 ) to that receiver. 

2. That receiver produces seed chains v(m,0) to v(n,0) and v(G-n,1) to v(G-m,1) 
by repeatedly applying the blinding function to the seeds sent using (4.1.1). 

3. The receiver produces keys km to Ki, using (4.1 .2) as the sender did. 

However, any seeds v(h,0) where (h < m) or v(h,1) where (h n), cannot 
feasibly be know by this receiver without an ^haustive search of tiie 
blinded seeds that 'precede' those the sender has revealed. Therefore, 
keys outside the range kn to k,„ cannot feasibly be calculated by this 
receiver. 

4. Any other receiver can be given access to a completely different range of 
ADUs by sending tine relevant seeds at the bounds of ttiat range; tiie 'starf 
seed from the firet chain and the 'end' seed from tiie second chain. 
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In figure 7 the ranges of seeds with a dark grey background represent those 
blinded from the first nnentioned receiver. This leads to the keys with a dark grey 
background also being blinded from this receiver. 

Therefore, each receiver can be given access to any contiguous range of keys by 
sending just two seeds per receiver per session. Unfortunately, this construction is of 
limited use unless each receiver can be restricted to only ever having one range of keys 
revealed within one sender sequence. If a receiver is granted access to an early range 
then another later range (say ko to ki then ko-i to Kg) it can then calculate all the values 
between the two (k© to kc). This is because seeds v(O.O), v(G-1,1), v(G-1,0) and v(G,1) will 
have had to be revealed, but v(0,0) and v(G.1) alone reveal the whole sequence. 

One way round this restriction is to regularly restart the second chain with a new 
seed value (i.e. keeping H low) and to disallow two accesses for one receiver within H 
ADUs of each other. However, this requires holding per customer state at the key 
manager. There may be niche applications where this scheme is appropriate, such as 
commercial models where customers can only extend a subscription, not withdraw then 
re-instate it. in such cases, this would be an extremely efficient scheme. 
A second way round this restriction is to note that two disjoint chains are only possible if 
there is room for a gap between two minimally short chains. In other words, a chain with 
H<4 will always be secure. Such a short chain doesnt seem much use, but later we will 
use this feature to build a hybrid construction from short BHC fragments. 

BoiraaKrv toslhi ftiree (BHT) 

The binary hash tree requires two blinding functions, bo() and bi(), to be well- 
known. We will term these Jhe 'left' and the 'right' blinding functions. Typically they could 
be constructed from a single blinding function, b(), by applying one of two simple one-to- 
one functions, ro() and riO before the blinding function. As illustrated in Fig 8. 

Thus: 

bo(s)«b(ro(s)); b,(s) = b(ri(s)) 

For instance, the first well-known blinding function could be a one bit left circular 
shift followed by an MD5 hash, while the second blinding function could be a one bit right 
circular shift followed by an MD5 hash. Other altematives migKt be to precede one 
blinding function with an XOR with 1 or a concatenation with a well-known word. It seems 
advantageous to choose two functions that consume minimal but equal amounts of 
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processor resource as this balances the load in all cases and limits the susceptibility to 
covert channels that would othen^vise appear given the level of processor load would 
reveal the choice of function being executed. Attematively, for efficiency, two variants of a 
hash function could be used, e.g. MD5 with two different initialisation vectors. However, it 
seems ill-advised to tamper with tried-and-tested algorithms. 
This key sequence is constructed as follows: 

1. The sender randomly generates an initial seed value, s(0,0), at random. 
Again, as a concrete example, we will take its value as 128 bits wide. 

2. The sender decides on the required maximum tree depth, D, which will lead 
to a maximum key sequence length, No=2^ before a new initial seed is 
required. 

3. The sender generates two 'left' and 'righf first level interniediate seed 
values, applying respectively the 'left' and the 'right' blinding functions to the 
Initial seed: 

s(1.0) = bo{s(0,0).); s(1,1) = b,{s(0,0) ). 

The sender generates four s^.cond. level intermediate seed values: 
3(2,0) = bo(s{1,0)); s{2,1) = bi(s(1.0)); 
3(2,2) = bo(s(1,1)); 3(2,3) bi(s(1,1)). 

and so on, creating a binary tree of Interniediate seed values to a depth of 
D levels. 

Formally, if Sd.i Is an intermediate seed that is d levels below the initial seed, so.o: 
Scu = bp(S(d.i,. xa ) (4.2.1) 
where p^O for even I and p=l for odd I 

4. The key sequence is then constructed from the seed values across the 
leaves of the tree or truncated derivations of them as before. 

That Is, if D=6, ko = s(5,0); ki = s(5,l); ... kai = s(5,31). 
Formally, k, = SDj (4.2.2) 
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5. The sender starts multicasting the stream, encrypting ADUo with ko, ADUi 
with ki etc. but leaving at least the ADU sequence number in the clear. 

6. If the sender delegates key management, it must privately communicate 
the initial seeds to the key managers. New initial seeds can be generated 
and communicated to key managers in parallel to streaming data encrypted 
with keys calculated earlier. 



A receiver reconstructs a portion of the sequence as follows: 

1 . \Nhen a receiver is granted access from ADU„ to ADUn, the sender (or a key 
manager) unicasts a set of seeds to that receiver (e.g. using SSL). The set 
consists of the intermediate seeds closest to the tree root that enable 
calculation of the required range of keys without enabling calculation of any 
key outside the range. 

— These are identified by testing the-indexes, i, of the minimum and maximum 
seed using the facX that an even index is always a 'left' child, while an odd 
index is always a 'right' child. A test is performed at each layer of the tree, 
starting firom the leaves and working upwards. A 'right' minimum or a 'left' 
maximum always needs revealing before moving up a level. If a seed is 
revealed, the index is shifted inwards by one seed, so that, before moving 
up a layer, the minimum and maximum are always even and odd 
respectively. To move up a layer, the minimum and maximum Indexes are 
halved and rounded down if necessary. This ensures the difference 
between them predictably reduces by two. The odd/even tests are repeated 
on the new indexes, revealing a 'right* minimum or 'left* maximum as 
before. The process continues until the minimum and maximum cross or 
meet. They can cross after either or both have been shifted inwards. They 
can meet after they have k>oth been shifted upwards, in which case the 
seed where: they me^jt neeids revealing before tenminating the procedure. 
This procedure is described more formally, in Olike code in Appendix A. 
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Cleariy, each receiver needs to know where each seed it is given resides in 
the tree. The seeds and their indexes can be explicitly paired when they are 
revealed. Alternatively, to reduce the bandwidth required, the protocol may 
specify the onJer in which seeds are sent so that each index can be 
calculated implicitly from the minimum and maximum Index and the order of 
the seeds. This is possible because there is only one minimal set of seeds 
that allow re-creation of any one range of keys, . 
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Each receiver can then repeat the same pairs of blinding functions on these 
intermediate seeds as the sender did to re-create the sequence of keys, 
to kn. (Equations 4.2.1 & 4.2.2) 
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3. Any other receiver can be given access to a completely different range of 
ADUs by being sent a different set of intemiediate seeds. 

The creation of a key sequence with D=4 is graphically represented In Fig 9: 



As an example, we circle the relevant intermediate seeds that allow one receiver 
to re-create the key sequence from kgto ke. The seeds and keys that remain blinded from 
20 this receiver are shown on .a grey background. Of course, a value of D greater than 4 
would be typical in practicf..., ..^^. ., ^^.^ . , . . 

Note that each layer can be assigned an arbitrary value of d as long as it uniquely 
identifies the layer. Nothing relies on the actual value of d or D. Therefore it is not 
necessary for the sender to reveal how far the tree extends upwards, thus improving 
25 security. 

Often a session will have an unknown duration when it starts. Clearly, the choice 
of D limits the maximum length of key sequence from any one starting point. The simplest 
work-round is just to generate a new initial seed and start a new binary hash tree 
alongside the old if it is required. If D is known by all senders and receivers, a range of 

30 keys that overflows the maximum key index, 2°, will be immediately apparent to all parties, 
in such cases it would be sensible to allocate a 'tree id' for each new tree and specify this 
along with the seeds for each tree. 

Another way to avoid this upper limit, is to make D variable instead of constant, 
e.g. D = Do + f<i). Rg 10 shows such a continuous BHT where DqM and where D rises by 

35 one every M keys. In this f xample M takes a fixed value of 7. However, there is litUe point 
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in adding this complexity as the only seeds common to the different branches of the tree 
are those along the far right-hand branch of the tree, Sd.2d. If any of these were ever 
revealed the whole future tree would have been revealed. Therefore, this •improvement* 
can never l>e used to add efficiency when revealing arbitrary ranges of keys to receivers 
5 and all it saves is the sender very occasionally passing a new initial seed in a trivial 
message to the key managers. On the contrary, it introduces a security weakness, as it 
creates a set of seeds of 'Infinite* value for which any amount of exhaustive searching will 
be worthwhile. On the other hand, regularty having to generate a new initial seed, as in 
the first work-round, sets a ceiling on the vulnerability of the BHT to attack. 



Binary hash chiain-tree hvbria (B 

This construction is termed hybrid because a binary hash tree (BHT) is built from 
fragments of bi-directional hash chains (BHCs) that are just two seeds long. For 
understanding only we will start the explanation building the tree in the root to leaf 
1 5 direction in order to construct a BHC fragment, as shown in Fig 11. This is for ease of 
understanding. -Later-we will-recommend the best way to build the tree is from the side 

rather tharrthe rootr 

-- — |— - Let^us^assume-we~have^two'initial seed values generated randomly, s(0,0) 
and s(0,l). Again, as a concrete example, we will take their values as 128 
20 bits wide. 



10 



2. We now apply the same blinding function to each seed to produce two 
blinded seeds v(1.0) and v(1,1). 

3. To produce child seed, s(1,l), we combine the first seed, s(0,0), with the 
blinded second seed, v(1,1). 
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To produce child seed, s(l,2), we combine the second seed, s(0,1), with the 
blinded first seed, v(1 ,0). 
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4. 



If we now randomly generate a third initial seed, s(0,2) and blind it to 
produce v(l,2), we can combine the second and third initial seeds and their 
opposite blinded values in the same way to produce two more child seeds, 
s(l,3) and s(1,4). This means that every parent seed produces four children, 
two when combined (incestuously) with its sibling to one side and the other 
two when combined with its half-sibling to the other side. In consequence, 
this construction produces a binary tree if new child seeds are blinded and 
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combined as their parents were because the number of seeds doubles in 
each generation, l-lowever. the tree only branches under the middle of the 
top row of seeds (assuming more than two initial seeds are created along 
this row). The edges of the tree 'wither* inwards If built from the top (but 
5 see later). 

Formally. 

s(d.l) = c(s(d-1. i/2 ), v(2d-1 . I /2 + 1 ) ) for odd i 

= c(s(d-1, i/2 ). v(2d-l. i /2 -1).) for even i (4.3.1) 
where 

0 v(hj) = b(s((h-1)Q.j)). 



Fig 11a) illustrates two pairs of parent seeds of the BHC-T hybrid, <s(0,0). s(0.1) 
and <s(0.1). 3(0.2). The rings identify the parent seed that is common to each pair, 
although the outer values in the outer rings-fall off the edge of the diagram, because we 
5 focus on the descendants of just the central parent seed, s(0,1). Fig 11b) shows the same 
three parents producing the same four children, but hiding the blinded seeds from view as 
they are never communicated, in order to better illustrate how a binary tree is being 
fomied. The ringed parent seeds in the lower diagram represent the same three ringed 
seeds shown in the upper diagram. The two dotted arrows that continue the sequence to 
0 the right show how parent seed s(0,2) would produce another two children if there were 
another parent to the right. The dotted lines joining each pair of arrows represent the fact 
that both parents above this line combine to produce both children below it. We will 
represent this construction in later diagrams using the simplified form. 

Rg 12 shows part of an example hybrid tree. As with the binary hash tree, the 
5 keys used to encrypt successive ADUs are the sequence of seeds at the leaves of the 
tree or truncated derivations of them. The figure shows how to reveal an example range of 
keys, ks to kg by revealing the ringed seeds to a particular receiver. 

We now movQ.to.-a further twist in- this construction In order to explain how 
to build the tree from the side rather than the root. It was noted eariier that the XOR 
) function was chosen because if the XOR of two operands produces a third value, any 
two of these three values may be XORed to produce the third. This is illustrated in 
Fig 13, where the values of all the seeds are the same as In Fig 11. If s(0.1) is initially 
unknown, but s(O.O) and s(1,2) are known, s(0.1) then s(1.1) may be derived because of 
this 'twist' property: 
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s(0,1) = c(s{1.2). b(s(0,0)) ) then 
s(1,1) = c(s(0.0). b(s(0.1))) 

Fig 14 shows how a sender can build the BHC-T hybrid construction from the 
'side'. The order of seed creation is shown by numbered circles. Seeds that can be 
created in any order are ail allocated the same number followed by a distinguishing letter. 
The darker circles next to ringed nodes represent seeds that have to be randomly 
generated. We shall call these primary seeds. These fix the values of all subsequent 
intermediate seeds until the next ringed node. 

1 . The sender randomly generates the 1 28 bit value of seed 0. 

2. Seeds 1 & 2 are then generated. They form the diagonal corners of a box 



of four seeds, thus setting the opposite comer values, 3 then 4 by the 'twist' 
algorithms: 



s(d-1. i/2 )=c{s(d,i).v(2d-1,i/2+1)))foroddi 

— = c(s(d:i)rv{2d-ir^i/2— T)ry^^ (4.3.2) ^- - — 

where 

v(h.j) = b(s{(h-1)/2,j)). 

Note that if d=0 for the root seed, d becomes increasingly negative in the leaf to 
root direction. 

3. Seed 5 must then be generated, forming another pair of diagonal comers 



4. This reveals the opposite comers, seeds 6 then 7 by equation (4.3.2). 

5. Seeds 7 and 2 then form the top comers of another box of four, setting 
seeds 8a & 8b by equations (4.3.1). 

6. The pattem continues in a similar fashion after seed 9 has been randomly 
generated. An advantage of this construction is that the tree can grow 
indefinitely - it is not necessary to decide any limits in advance. 



Formally, 



Vtfith2. 
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7. The sender starts multicasting the stream, encrypting ADUo with ko. ADUi 
with ki etc. but leaving at least the ADU sequence number in the clear. 

That is, ki = s(D,l) where D=o (4.3.3) 

8. If the sender delegates key management, it must privately communicate 
the primary seeds to the key managers. New primary seeds can be 
generated and communicated to key managers in parallel to streaming data 
encrypted with keys calculated earlier. 

A receiver reconstructs a portion of the sequence as follows: 

1 . When a receiver is granted access from ADU„ to ADU„, ttie sender (or a key 
manager) unicasts a set of seeds to that receiver. The set consiste of the 
smallest set of intennediate seed% in the tree that enable calculation of the 
required range of keys. 

-These are identified by testing the indexes, i, of the minimum and maximum 
seed in a similar but mirrored way to the BHT. A 'leff minimum or a "righf 
maximum always needs revealing before moving up a level. If a seed is 
revealed. -tiie index is shifted inwards by one seed, so that, before moving 
up a layer, the minimum and maximum are always odd and even 
respectively. To move up a layer, the minimum and maximum indexes are 
halved and rounded down if necessary. This ensures the difference 
between them predictably reduces by one. The odd/even tests are 
repeated on the new indexes. The process continues until the minimum 
and maximum are two or three apart If they are two apart they are 
revealed along with the seed between them. If they are three apart they 
are only revealed along witii both seeds between them if the minimum is 
even. If it is odd, it will be worth moving up one more layer so nothing is 
revealed and one more round is allowed. Before the tests start, exceptional 
initial oinditions are tested for; where the requested range is already less 
than two wide. 

Pi"? P^fr^yi^r^ more formally, in C-like code in Appendix B. 
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2. Clearly, each receiver needs to know where each seed it is given resides in 
the tree. The seeds and their indexes can be explicitly paired when they are 
revealed. Alternatively, to reduce the bandwidth required, the protocol may 
specify the order in which seeds are sent so that each index can be 
calculated implicitly from the minimum and maximum index and the order of 
the seeds. For instance, the algorithm in Appendix B will always reveal the 
same seeds in the same order for the same range of keys. 

3. Each receiver can then repeat the same pairs of blinding and combining 
functions on these intermediate seeds as the sender did to re-create the 
sequence of keys, k„, to kn. (Equations 4.3.1, 4.3.2 & 4.3.3) 

4. Any other receiver can be given access to a completely different range of 
ADUs by being sent a different set of intermediate seeds. 

Because the BHC-T can be built from the side. It is ideal for sessions of unknown 
duration. The continual random~"generiEition'W~nev^intermediate~rodt limits its 

vulnerability to attack but allows continuous calculation of the sequence. To further limit 
vulnerability, the sender could delay the generation of future seeds in order to deny any 
receiver the ability to calculate keys beyond a certain future point in the sequence. This 
would limit the time available for a brute force search of the seed-space. Nonetheless, 
building the tree from the side causes the numbers of keys dependent on each new root 
seed (and consequently the value of an attack on that seed) to grow exponentially. 

The value of a root se^d can. be bounded by regularly incrementing the level 
defined to be the leaf level, moving it one layer closer to the root after each sequence of M 
keys (except the first). 

Formally this requires equation (4.3.3) to be replaced with: 

ki = s(- i/M .1) for i<M 

ki = s(1- i/M ,i) for i=M (4.3.4) 

This is illustrated in Fig 15 with M=8. Of course, in practice M would be a lot larger 
in order to ensure all reasonable length receiver sessions could be described efficiently 
without hitting the top left-hand branch of the tree. 
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We noted earlier that a BHC was only Intrinsically secure when H<4. The BHC 
fragments used in this chain-tree hybrid have H=2. which ensures the security of the 
hybrid scheme. This also suggests that a binary chain-tree hybrid could be constructed 
from chain fragments of length three (H=3) without compromising security. In this case, 
5 each parent seed would produce six children when paired with its sibling and half-sibling, 
giving a threefold growth in free width at each level (a ternary tree - BHC3-T). This 
constnjction is shown in Fig 20e but a full analysis is left for future woric. It has the 
potential to be more efficient than BHC-T, if a little more complex. 

0 Binary hash tree 11 f BHT2^ 

We_no\8Lpne.sent a further_binary tree based construction that combines the BHT 

and the BHC-T approaches In a way that greatly tightens security against brute force 
attack. We use the same notation for the seeds. Sdj, but with the origin for d being at the 
root as for BHT, its value rising as It approaches the leaves. One element of the tree is 
5 shown in Fig 16. We use two blinding functions in this construction, boO and b,(), which we 
will temn 'left' an d 'right' respectively, a s was th e case with the BHT. 

1 . ■ Let us assume we have two randomly generated initial seed values, s(0,0) 
; and s(0,'l). Again, as a concrete exampie. we will take their values as 128 

bits wkle. 

2. The sender decides on the required maximum tree depth, D. 

We produce two blinded values frpm each of these initial seeds, one with 
each of the blinding functions. 
v(1.0) = bo(s(0.0)); v(1,1) = bi{s(0,0)): 
v(1.2) = bo(s(0,1)); v(1,3) = b,(s(0.1)). 

3. To produce child seed. s(1 ,1), we combine the two left blinded seeds. v(l .0) 

- . and v(1.?).^ , . ... 

To produce child seed, s(l,2), we combine the two right blinded seeds, 
v(l.l)and,v(l,3). 

4. If we now randomly generate a third initial seed. s(0,2), we can combine the 
second and third initial seeds in the same way to produce two more child 
seeds, s(1.3) and 8(1.4). As with the BHC-T hybrid, this means that every 
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parent seed produces two children enabling us to build a binary tree, but 
with the edges 'withering* inwards. In fact, if layer d contains seeds, 
n((Hi)='2nd-2. As long as more than two initial seeds are used, the tree will 
tend towards a binary tree. 
5 Formally: 

s(d.i) = c(v(2d-1, i/2 ). v(2d-1, i /2 + 1 ) ) for odd i 
= c(v(2d-1. i/2 ). v(2d-1, i /2 -1 ) ) for even i (4.4.1) 
where 

v(h.j) = b(s((h.1)/2,j)). 

10 

5. The key sequence is then constructed from the seed values across the 

leaves of the tree. 
Formally, ki = soj (4.4.2) 

15 6. The sender starts multicasting the stream, encrypting ADUo with ko, ADU| 

with ki etc. but leaving at least the ADU sequence number in the clear. 

Fig 16a) jnustrat^s-two rparenjt^ seed^pairs of the BHT2, <s(0,0), s(G,1) and-<s(0-1),~ 
s(0,2). The rings identify the parent seed that is common to each pair in both parts a) and 

20 b) of the figure, in exactly the same fashion as was used to illustrate the BHC-T hybrid. As 
before, Fig 16b) shows how a tree of seeds built with BHT2 can t>e represented, hiding 
the intennediate blinded values from view for clarity. Once these internal values are 
hidden, the resulting BHT2 looks identical to the BHC-T hybrid in Fig 4.3.2. 

The algorithm to calculate which seeds to reveal in order to reveal a range of 

25 keys is also identical to that for the BHOT hybrid in Appendix B, thus the ringed seeds in 
Fig 12 would still reveal k3 to kg to a particular receiver. 

The maximum number of keys across the leaves of a BHT2 built from three initial 
seeds (at layer 0) to depth D is 2°-i-2. if a continuous tree is required, the keys can be 
defined to step down the layers of intermediate seeds rather than stay level across them, 

30 similar to the continuous BHT shown in Fig 10. 

We have shown how to build a binary tree only using two of the combinations of the four 
blinded values ,in (;4t.4.1).^w.^ .;. ^ . . , 



Taking the four values two at a time, gives six possible combinations: 
35 c1 = c(v(1,0). v(1,1) 



) 
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c2 = c(v(1,2), ' v(1.3) ) 

^ = c(v(1,0), v(1,2) ) 

c4 = c(v(1.1). v(1,3) ) 

^ = c(v(1.0). v(1.3) ) 

5 c6 = c(v(1,1), v(1.2)) ' 

c1 and c2 are dependent on only one parent seed each. Therefore, revealing the parent 

alone reveals a child, ruling out the use of either. Further, c6 = c(c3, c4, c5) and c5 = c(c3, 

c4. c6) etc. Therefore revealing any three of these combinations implicitly reveals the 

fourth. Nonetheless, any three of these combinations can be used rather than just the two 

1 0 used In the BHT2. Analysis of the resulting ternary tree (BHT3) is left for future work. 



Common model 

Having presented four key sequence constructions, we now present a common 
model, which allows all of these schemes and others like them to be described in the 
1 5 same terms. 



We define two co-ordinate planes 

• a 'blinding' plane with discrete values, v, sitting at co-ordinates (h,j) such 
that, in general, values at one h co-ordinate are blinded to produce the 

20 values at h+1 , the specific mappings depending on the scheme; 

• a 'combining' plane with discrete values, s, sitting at co-ordinates (d.l), 
I.. which are, the result of combining values from the blinding plane In ways 

that again depend on the scheme 



25 Each construction is built from elementary mathematical 'molecules' in the 

blinding plane. Figs 20a-20e show these molecules as a collection of thick black arrows 
representing the blinding functions mapping from one value of v to the next, starting from 
the h=o axis. To show how the constmction grows in the direction of the j axis, the thick 
but very light-grey an-ows represent blinding of adjacent values that complete the next 

30 molecule. A molecule is defined by three constants: 

• H, the height of one molecule along the h axis of the blinding plane 

• P, the number of blinding functions used within one molecule 

• Q, the number of values that are combined from each molecule in the 
blinding plane to produce each value in the combining plane 
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The initial values, v, of one molecule in the blinding plane map directly from the 
previous values, s, in the combining plane (shown as chain dashed lines in Figs 20a-20e): 

if h mod H = 0; v{hj) = s(h/H, j) (4.5.1). 
Subsequent values in a blinding plane molecule are blinded from previous values 
(shown as thick arrows): 

if h mod H 0; v(h j) = bp(v((h-1 ), j/P )) (4.5.2). 
where p = j mod P. 

The resulting final values in the blinding plane molecule are then combined to 
produce the next values in the combining plane (shown as thin lines): 
s(d.i) = c(v(hojo), ... v(hqjq), ... v(h(Q.i)j(Q.i))) (4.5.3). 

Where hq are jq are defined for each construction as functions of the parameter q. 
Thus, d increments one in the combining plane for every H along the h axis in the 
blinding plane. 

Table 1 gives the values of H, P and Q and the formulae for hq are jq that define 
each construction. It also refers to the figures that illustrate each construction using this 
common model. __ _ __ . _ . 
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Table 4.5.1 - Coefficients of the common model defining each key sequence 
construction 

In all cases, unless a continuous construction is desired, the keys 
constructed from the sequence are defined by: 
k, = s(DJ) (4.5.4) 
where D=log(No) 

where No is the maximum number of keys required 
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Incidentally, the one-way function tree (OFT) rMcGrew981 results from 
setting {...?} 

5 

Trading off storage against processing 

In all the MARKS constructions, a small number of seeds is used to generate a 
larger number of keys, both at the sender before encryption and at the receiver before 
decryption. In either case, there may be limited storage capacity for the key sequence, 
0 which requires exponentially more storage than the seeds. In such cases, the first few 
keys may be calculated while storing the seeds that will-allow -the remainder to be 
calculated. In general, either storage can be saved or repetition of the same calculations 
can be avoided, depending whether storage or processing time is in shortest supply. 

With the BHC. the whole reverse chain has to be traversed before the first key 
5 can be calculated. However, not every value needs to be stored. The values at the half- 
way poirit, three-quarter point etc. may be stored and the rest discarded. As the sequence 
eats back into this reverse chain, the next value can always be recalculated by re-running 
the hash chain from the previous stored value, storing more values on the way as 
required. 

With all the tree constructions, any intermediate seeds down the branch of the 
tree to the first key need to be calculated before the session can start, but again they don't 
all need to be stored. Those ctosest to the leaves should be stored (cached), as they will 
be needed soonest to calculate the next few keys. As Intermediate seeds nearer to the 
root are required, they can be recalculated as long as the seeds originally sent by the key 
manager are never discarded. 

Efficiency 

As has already .b|i9en poted, the BHQ with H3 is extremely efRcient but. insecure. 
Therefore we will confine discussion, to the binary tree-based constnjctions that we have 
fully analysed. Table 5.2.1 shows various parameters of BHT, BHC-T and BHT2 per 
secure multicast session, where: 

R, S and KM are the receiver, sender and key manager, respectively, as 
defined in Section 3 N (= n-m+1) is the length of the range of keys that 
the receiver requires, randomly positioned in the key space w, is the size 
of a seed (typically 128b) Wh is the size of the protocol header overhead t, 
is the processor time to blind a seed (plus one relatively negligible circular 
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shifting and/or combining operation) 
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Tables :1r^* Various parajneters'jpf : BHT, BHC-T and BH12 per secure multicast 
session^' 

5 

The unicast message size for eacli receiver's session set-up is shown equated to 
the minimum amount of storage each receiver requires. This is only so if the receiver 
chooses to trade off storage for processing as described in above. The same trade-off has 
been used for the minimum sender storage row. The processing latency is the time 

1 0 required for one receiver to be ready to decrypt incoming data after having received the 
unicast set-up message for its session. Note that there is no latency cost when other 
members join or leave, as in schemes that cater for unplanned eviction. Note that the 
figures for processing per key assume sequential access of keys. In this case, the most 
efficient values to store during any session (other than the minimum set revealed to allow 

1 5 construction of the tree) are the ones on the branch from the root to the key in current use. 
The mean processing per key is then the number of hash operations in the whole tree 
divided by^the nurofcMB;,ofJieY%.%t,t^^^ tb^ sender (or a group controller if there 

are multiple senders) is required to generate random bits for the initial seeds. The number 
of bits required is cleariy equal to the minimum sender storage of these initial seeds. 
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It can be seen that the only parameters that depend on the size of the group 
membership are those that are per receiver. The cost of two of these (storage and 
processing latency) is distributed across the group membership thus being constant per 
receiver. Only the unicast message size causes a cost at a key manager that rises linearly 
5 with group membership size, but the cost is only borne once per receiver session. 
Certainly, none of the per receiver costs are themselves dependent on the group size as 
in all schemes that allow unplanned eviction. Thus, all the constructions presented are 
highly scalable. 

Comparing the schemes with each other, perhaps surprisingly, the hybrid BHC-T 
10 and BHT2 are very nearly as efficient as the BHT in messaging terms. They both only 
require an average of one more seed per receiver session set-up message. If N is large, 
this is insignificant compared to the number of keys required per receiver session. On 
average BHC-T requires twice as much processing and BHT2 four times as much as 
BHT. However, we shall see that the security improvements are well worth the cost. 

15 

BHT 

With the BHT, each seed in the tree Is potentially twice as valuable as its child. 
Therefore, there is an incentive to exhaustively search the seed space for the correct 
value that blinds to the current highest known seed value in the tree. For the MD5 hash, 

20 this win involve 2^^ MD5 operations on average. It is possible a value will be found that is 
Incorrect but: blinds tp.a .v^uM^at^cq^^^^^ the known value (typically ^ne will.be 

found every 2^ operations with MD5). This will only be apparent by using the seed to 
produce a range of keys and testing one on some data supposedly encrypted with it. 
Having succeeded at breaking one level, the next level will be twice as valuable again, but 

25 will require the same brute-force effort to crack. Note that one MD5 hash (portable source) 
of a 128b input takes about 4us on a Sun SPARCserver-1000. Thus, 2^^® MD5s would 
take 4e25 years. 

BHC-T 

30 With the BHC-T hybrid, the strength against attack depends on which direction 

the attack takes. If we take a single element of the BHC-T, it has four seed values - two 
parents and two children as shown in Table 5.3.1 and also illustrated in Rg 17. Given only 
any one of the four values, none of the others can ever be calculated as there is 
insufficient information to test correctness. Given three of the four values, the fourth can 

35 always be calculsrted with one blind|ng operation.. Given Just two of the values, the 
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table lists how difficult it is to calculate the other two, depending on which two are given. 
The fetter 'i' represents an input value and the values in the cells represent the number of 
blinding function operations necessary to guarantee finding the pair of output values given 
the inputs, w is the number of bits in the number-space (128 for MD5). Fig 17 shows the 
5 same information graphically, with input values ringed and blinded values shown over a 
grey background. 
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Fig 17 - Revealing and blinding seed pairs in BHC-T 
10 If a parent and child down one side of the 'square' are given, the opposite parent 

can be searched exhaustively, with each value tested by blinding it and comparing it with 
the XOR of the two given-values- Thus, succes s is guar ant eed afte r blind ing operations 

for a 'sideways' attack. ^ 

If only the two child values are given, the exhaustive search for one of the 
15 parents is slightly more involved. That is, one parent value, s(0,1) is guessed, and it is 
only correct if the following is true: 

c{s(0.1), b(c(s(1,1), b(s(0,1))))) = s{1.2) 

Thus, success is guaranteed after 2^^^ blinding operations for an 'upwards' 
20 attack. ^ . ^ 

The probability of iRnding^tvifO) unknown values that are compatible with the two 
given values but are also not the correct pair of values (a double collision) is small in this 
construction. If such a pair does tum up, they can only be tested by produdng keys with 
them and testing the keys on encrypted data. The lesser probability of a double collision 
25 therefore slightly reduces the complexity of the attacker's task. 

A sideways attack can only gain at most one seed at the same level as the 
highest seed already known. An attack to the right ends at an even indexed child as only 
one value is known in the next 'box' to the right. Similarly, attacking to the left is blocked 
by an odd indexed child. An upward attack is then the only remaining option. One 
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successful upward attack gives ho'extra' keys, but when followed by a sideways attack 
reveals double the keys of the last sideways attack. 



BHT2 

5 The strength of the BHT2 against attack takes a similar form to that of the BHC-T 

hybrid, except the strength against upward attack is designed to be far greater. As with 
BHC-T, just one known value from a 'square* of four can never reveal any of the others. 
However, unlike BHC-T, three values do not necessarily immediately give the fourth. If 
only one parent is unknown, 2* blinding operations are required to guarantee finding it. 
10 Given just two of the values. Table 5.3.2 lists how difficult it is to calculate the other two, 

depending on which two are givenrAs before, the values In the cells represent the number 

of blinding function operations necessary to guarantee finding the pair of output values 
given the inputs. Fig 18 shows the same information graphically, with Input values ringed 
and blinded values shown over a grey background. 
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1 5 Table 2 - Revealing and blinding seed pairs in BHT2 
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Fig 18 - Revealing and blinding seed sub-sets in BHT2 

If a parent and either child down one side of the 'square* are given, the opposite 
parent can be searched exhaustively, with each value tested by blinding it and comparing 
20 it with the XOR of the two known values. Thus, success is guaranteed after 2^ blinding 
operations for a 'sideways' attack. The same applies if a parent and the opposite child are 
given. 

If only the two child values are given, the exhaustive search for the parents 
is designed to be much^ mpre irivolved iri BHT2. For each guess at the right parent 
25 value, s(0.1), it must be left blinSed'^then^the left parent value has to be exhaustively 
searched to find a left blinded value which, when combined with the first left blinded 
guess gives the given value of the left child. However, when these two parent 
guesses are right blinded, they are unlikely to combine to give the correct right child. 
Thus, the next guess at the right parent has to be combined with an exhaustive 
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search of the blinded values of the left parent and so on. This is equivalent to solving 
the following simultaneous equations, given only s(1,1) and s(1,2): 
c(bo{s{0,0)). bo(s(0.1))) = s(1.1) 
c(bi(s(0.0)). bi(s(0,1))) = s(1 .2) 

5 

To guarantee success therefore requires an exhaustive search of the square 
matrix of combinations of the two parents, that is 2^ blinding operations. The greater 
strength against brute force attack in the child to parent direction is shown in the figure by 
a darker grey background. An alternative would be to store all the left and right blinded 
10 values of one parent to save keep recalculating them. However just the unindexed left 
1^ blinded values of every possible value of one parent would consume more than 5e27TB of 

storage, the cost of which makes other means of attack more economically worthwhile! 

The same comments about double collisions apply to BHT2 as did to BHC-T, 
except the wrong pair of values would only appear if four hash collisions were stumbled 
1 5 upon simultaneously - an event with vanishingly small probability. 

Sideways attacks in BHT2 are confined to at most one 'box* either way as they 
are in BHC-TrThereforerto gain any significant number of keys, an upward attack soon 
has to-be facedr.72'", bM will probably be more 

expensive than legally acquiring the keys being attacked. Once an upward attack has to 
20 be faced, 2^ blinding operations are definitely an incentive to find another way. 

^ Generally, the more random values that are needed to build a tree, the more it 

can contain sustained attacks to within the bounds of the sub-tree created from each new 
25 random seed. However, for long-running sessions, there is a trade-off between security 
and the convenience of a continuous key-space, as discussed above in relation to 
continuous trees. The randomness of the randomly generated seeds is another potential 
area of weakness that must be correctly designed. 

All the MARKS constructions are vulnerable to collusion between valid group 
30 members. If a sub-group of members agree amongst themselves to each buy a different 
range of the key space, they can all share the seeds ttiey are sent so that they can all 
access the union of their otherwise separate key spaces. Arbitrage is a variant of member 
collusion that. h%;.alr9a^^^^ f3iscijs^^.,.This is where one group member buys the 
whole key sequence then sells portions of tt more cheaply than the selling price, still 
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making a profit if most keys are t)ought by more than one customer. Protection against 
collusion with non-group memlaers is discussed in Section 6.3 on watermarking. 

Finally, the total system security for any particular application clearly 
depends on the strength of the security used when setting up the session. The 
5 example scenario in above describes the issues that need to be addressed and 
suggests standard cryptographic techniques to meet them. As always, the overall 
security of an application using any of the MARKS constructions is as strong as the 
weakest part. < ' •/ ' ••• . 



The key management schemes described in the current work lend themselves to 
modular combination with other mechanisms to meet the additional commercial 
requirements described below. 



Multi-sender multicast 
1 5 A multi-sender multicast session can be secured using the MARKS constructions 

as long as all the senders arrange to use the same key sequences. They need not all 
simultaneously be using the same key as long as the keys they use are all part of the 
same sequence. Receivers can know whfeh key to use even if each sender is out of 
sequence with the others as long as the ADU index is transmitted in the dear as a header 
20 for the encrypted ADU. The example scenario in Section 3 described how multiple 
senders might synchronise the index they were all using if this was important to the 
(»mmerdal model of the .application. 

If each sender in a multi-sender multicast uses different keys or key sequences, 
each sender is creating a different secure multicast session even if they all use the same 
25 multicast address. This follows from the distinction between a multicast session and a 
secure multicast session defined in Section 2.1 . In such cases each secure multicast 
session must be created and maintained separately from the others. However, there may 
be some scope for what is termed amortised initialisation rBafen99T . That is, distinct 
secure multicast sessions can ail use the same set-up data to save messaging. For 
30 instance, the commercial model might be that customers always have to buy the same 
ADUs from every one of a set of related senders if tfiey buy any at all from each. In such a 
scenario, each sender might combine a MARKS sequence of keys common to all senders 
with a long-tenn key specific to ttiat sender. The customer couM buy the relevant seeds 
for ttie common range of keys, ttien buy an additional long-tenn key for each sender she 
35 wished to decrypt. 
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Moim-secaueimttflaO ainid myllia-seqajieiniftDall key access 

The MARKS constructions are designed to be efficient when giving each receiver 
access to a key sequence that is an arbitrary sub-range of a wider sequence, but not 
where the data isn't sequential or where arbitrary disjoint parts of a sequence are 
required. Thus MARKS is targeted at data streams that are naturally sequential in one 
dimension, such as real-time multimedia streams. 

However, once a receiver has access to a range of keys, clearly there is no 
compulsion to access them in sequential order. For instance, the receiver may store away 
a sub-range of a stream of music being multicast over the Internet encrypted using one of 
the MARKS key sequencesrUsing an index of the tracks downloaded, the receiver could 
later pick out tracks to listen to in random order, using the relevant keys taken out of order 
from the MARKS sequence. 

MARKS can also be used to restrict access to data that is sequential but in 
multiple dimensions. Some examples of such applications are described in M. Fuchs, C. 
Diot, T. Turletti, M. Hoffman, "A Naming Approach for ALF Design", in proceedings 
of HIPPARCH workshop, London, (June 1998). A two dimensional key sequence space 
is shown in Fig 19. 

For instance, access to multicast stock quotes could be sold both by the duration 
of the subscription and by the range of futures markets subscribed to. Each quote would 
then need to be encrypted with two intermediate keys XORed together. Thus the 'final 
keys' actually used for encryption would be: 
kij = c(k'o.i. k*i j). 

One intermediate key would be from a sequence ko.i where i increments every 
minute. The other intermecSijate lcey .could be from a sequence k'lj where j represents the 
number of months into ihe future of the quote. A trader specialising in one to two year 
futures would not only buy the relevant sub-range of k*o.i depending on how long she 
wanted to subscribe, but she would also buy the range of intermediate keys k'1^12 to k'i^4. 

An approach such as Ross Anderson & Charalampos Manifavas (Cambridge 
Uni), "Chameleon - A New Kind of Stream Cipher" Encryption in Haifa (Jan 1997), 
(described eariier) can be used to watermark the keys used to decrypt the stream of data. 
Thus, the keys generated by any of the MARKS constructions are treated as intermediate 
keys. The sender creates a sequence of final keys by combining each intermediate key 
with a long-term key block (512kB in the concrete example) as described in Section 2.2 . 
Each receiver is given a long-term watermarked version of the same block to produce a 
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watermarked sequence, of final keys from her sequence of intermediate keys, thus 
enforcing watermarked decryption. 

However, this approach suffers from a general flaw with Chameleon. It creates an 
audit trail for any keys or data that are passed by a traitorous authorised receiver to a 
5 completely unauthorised receiver - that is a receiver without a long-term key block. In such 
cases the traitor who revealed the keys or data can be traced if the keys or data are 
traced. However, intermediate keys, rather than final ones, can be passed to any receiver 
who has, at some time, been given a long-temi key block that is still valid. Thus a receiver 
not entitled to certain of the intermediate keys (which are not watemnarked) can create 
10 final keys watemiariced with her own ke^y block and hence decrypt the cipherstream. 
„Althougb..the_keys_and data.-produced-are stamped with her-own watermark, this only 
gives an audit trail to the target of the leak, not the source. Hence, there is little deterrent 
against this type of 'intemaf traitor. 

Returning to the specific case of the MARKS constructions, this general flaw with 
15 phamelepri.mffins.tha^ eithQ^ or the intermediate keys can be 

passed around internally without fear of an audit trail. For instance, in the above network 
game example, a group of pl.ayers_can opilude to each buy a different game-hour and 
share the intermediate seeds they .each_buy between themselves. To produce the real 
keys, each player can then use her own watermarked long-term key block that she would 
20 need to play the game. No audit trail is created to trace who has passed on 
unwatemnarked intermediate seeds. However, there is an audit trail if any of the players 
tries to pass the watermarked keys or data to someone who has not played the game 
recently and therefore doesnt have a valid long term key block of their own. SImilariy, 
there is an audit trail if, instead, one of the players passes on their long-term key block, as 
25 it also contains a watermark traceable to the traitorous receiver. 

Unplanned eviction 

As already pointed out. the MARKS constructions allow for eviction from the 
9r?.MP.?l^?*'tff 9^-^"?,®?! fetf^:6P'X.ff RlfSQ^^c?* t?"".® receiver session is. set. up: If 

30 pre-planned eviction is the common case, but occasionally unplanned evictions are 
needed, any of the l\/IARKS schemes can be combined with another scheme, such as 
LKH-i-i- fChanq991 to allow the occasional unplanned eviction. To achieve this, as with 
watemiarking above, the key sequences generated by any of the MARKS constaictions 
are treated as intemiediate keys. These are combined (e.g. XORed) with a group key 

35 distributed using for example LKH-i-+ to produce a final key used for decrypting the data 
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stream. Thus both the MARKS intermediate key and the LKH++ intermediate key are 
needed to produce the final key at any one time. 

Indeed, any number of intermediate keys can be combined (e.g. using XOR) to 
meet multiple requirements simultaneously. For instance, MARKS, LKH-f-^ and 
5 Chameleon, intermediate Keys can be combined to simultaneously achieve low cost 
planned eviction, occasional unplanned eviction and a watermarked audit trail against 
leakage outside the long-term group. 

Formally, the final key, kg.... = c(k'o.i, k'u, ...) 

where intermediate keys k" can be generated from sequences using iWiARKS 
1 0 constructionsjor any other meansjsuch.asjhose described in the previous.two sections on 

—watermarking-and-multi-dimensional key sequences. - 

In general, combination in this way produces an aggregate scheme with storage 
costs that are the sum of the individual component schemes. However, combining LKH++ 
with MARKS where most evictions are planned cuts out all the re-keying messages of 
1 5 LKH++ unless an unplanned eviction is actually required. 

TheJnvention is by no means Jimited to use with multicast data networks. 

— Two-other -f ields-of use are -described-beiow by-way of -example. 

— Vifftmiall ig>r5vat®-in^®tLwoirlit-(VPIi\0) — , ■ — ^ " - 

A large, company.' may ^allowiits/.employees and contractors to communicate 
20 with other parts of the company from anywhere on the internet by setting up a VPN. 
One way to achieve this is to give every worker a group key used by the whole 
company. Consequently, every time a worker joins or leaves the company, the group 
key has to be changed. Instead the key should be changed regularly in a sequence 
determined by one of the MARKS constructions, whether or not workers join or 
25 leave. As each new employment contract is set up, seeds are given to each worker 
that allows her to calculate the next keys in the sequence until her contract comes up 
for renewal. Any worker that leaves prematurely is treated as an unplanned eviction. 
Dioiital versatflle disk (DVOt 

DVD originally stood for digital video disk, because its capacity was suited to 
30 this medium. However, it may be used to store content such as software or audio 
that requires less storage space. Instead of pressing a different sparsely filled DVD 
for each selection of audio tracks or software titles, using the present invention, each 
DVD is produced filled to capacity 'wiih^rifiany hundreds of related tracks or titles. 
Each track or title constitutes an ADU. Each ADU could be encrypted with a 
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different key from a sequence created using one of the MARKS constructions. These 
DVDs could be mass-produced and given away free (e.g. as cover disks on 
magazines). Anyone holding one of these DVDs could then buy seeds over the 
Internet that would give access to a range of keys to unlock some of the ADUs on 
5 the DVD. MARKS is ideally suited to such scenarios because the encryption key 
cannot be changed once the DVD is pressed, so commercial models that use physical 
media don't tend to rely :On unplanned eviction. This scheme could usefully be 
combined with Chameleon to watermark.the keys and data 

We have described above solutions to manage the keys of very large 

10 groups. It preserves the scalability ~df receiver initiated Internet multicast by 
completely de-coupling senders from all receiver join and leave activity. Senders are 
also completely decoupled from the key managers that absorb this receiver activity. 
We have shown that many commercial applications have models that only need 
stateless key managers, in which cases unlimited key manager replication is feasible. 

15 When one of a replicated set of stateless key managers fails it has no effect on 
transactions in progress on sister servers, thus isolating the overall system from 
problems, improving resilience. We have presented a worked example of a large-scale 
network game charged per minute to illustrate these points. 

These gains have been achieved by the use of systematic group key changes 

20 rather than receiver join or leave activity driving re-keying. Decoupling Is achieved by 
senders and key 'managers pre-arf^ unit of financial value in the multicast 

data stream (the 'application data utiif with respect to charging). A systematic key 
change can then be signalled by incrementing the ADU index declared in the data. 
Using this model, there is zero side-effect on other receivers as well as on the 

25 senders when one receiver joins or leaves. We also ensure multicast is not used for 
key management, only for data transfer. Thus, re-keying isn't vulnerable to random 
transmission losses, which are complex to repair scalably when using multicast. 
Traditional key management solutions have successfully improved the scalability of 
techniques to allow unplanned evictions of. group members, however the best 

30 techniques are still costly in messaging terms. In contrast we have focussed on the 
problem of planned eviction. That is, eviction after some arbitrary future ADU, but 
planned at the time a receiver requests a session. We have asserted that many 
commercial scenarios based on pre-payment or subscription don't require unplanned 
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eviction but do require arbitrary planned eviction. Examples are pay-TV, pay-per-view 
TV or network gaming. 

To achieve planned but arbitrary eviction we have designed a choice of key 
sequence constructions that are used by the senders to systematically change the 
group key. They are designed such that any sub-range of the sequence can be 
reconstructed by revealing a small number of seeds (16B each). Thus receivers can 
be given access to arbitrary sub-ranges of the data sequence. All the practical 
schemes can reveal n keys to each receiver using 0(log(N)) seeds. The schemes 
differ in the processing load to calculate each key, which is traded off against 
security. The heaviest scheme requires on avenagejijst 0(2(log(N) - i)) fast hash 
operations to get started,- then on average just sixteen more hashes to calculate each 
new key in the sequence, which can be done in advance. The lightest scheme 
requires four times less processing than this. 

To put this work in context, for pay TV charged per second with 10% of ten 
million viewers tuning in or out within a fifteen minute period, the best alternative 
scheme (Chang et al) might generate a re-key message of the order of ten of RB 
thousands of bytes every second multicast to every group member. The present work 
requires a message of a few hundred bytes unicast just once to each receiver at the 
start of perhaps four hours of viewing. 
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Appendix A - Algorithm for identifying minimum set of intermediate seeds for BHT 

In the following C-IIke code fragment 

• the function odci(x) tests whether x is odd 

• and the function reveal (d, i) reveals seed Sd,i to the receiver 

mi n=m ; max=n ; 

if (min max) error {); // reject min max 

for{d=D; d=0; d — ) { // working from bottom of tree,.. 



if (min == max) { 
reveal {d,min) ; 
break; 



// move up the tree one level each loop 
/ / min & max have converged . . . 
// . . .so reveal root of s\ab-tree. . . 
// • . .and quit 



} 



if odd (min) { 
children . . . 



// odd min values are never left 



reveal (d,min) ; 
min++; 



// ...so reveal odd min seed 

// and step min inwards one seed to right 



} 



if ! odd (max) { 



// even max values are never right 



children. . . 



reveal {d,max) ; 



// ...so reveal even max seed 

// and step max inwards one seed to left 



max — ; 



) 



if (min max) break; // min & max were cousins, so quit 
niin/«2; // halve min . . . 

max/«2; // ... and halve max ready for... 



} 



// ... next level up round loop 




Appendix B - Algorithm for identifying minimum set of intermediate seeds for BHC-T 
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In the following C-like code fragment 

• the function odd(x) tests whether x is odd 

• and the function reveal (d, i) reveals seed Sd,i to the receiver 

niin==m; max=n; 

// reject min max 

// working from bottom of tree 
// requested min & max are adjacent /the 
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20 



25 



30 



35 



if (min max) error (); 
d-0; 

if (max <= min+1) { 
same . • . 

reveal (d,min) ; 
if (max < min) 

reveal (d,max) ; // 
break; // 



// ...so reveal left... 
// requested min & max are not the same* 
.so reveal right too... 
and quit 



} 



for(d=0; ; d++) { // move up the tree one level each loop 

if (max <= min+3) { // min & max are two or three apart... 

// min & max were two apart... 



so. 



if (max .< min+3) { 

reveal (d^min) ; // 

reveal {d,max) ; // 

reveal (d, min+1) ; // 

break; // 

} else { 

if (! odd (min)) { 

reveal (d, min+1) ; 
reveal {d,max-l) ; 
break; 

> 

} 



...so reveal left... 
. • . and right 
. . .and centre. . , 
. . . and quit 

// min & max were three apart, 

// ,..only if min is even... 

// ...reveal left centre... 

// ...and right centre... 

•// . . .and quit 



} 

if ! odd (min) { 
children. . . 

reveal (d,min) 
min++; • *• v-. 

} 

if odd (max) { 



// even min values are never right 

// ...so reveal even min seed 

// and step min inwards one seed to right 

// odd max values are never left 
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children. . . 

reveal (drmax.) ; 
max — ; 

} 

iain/=2; 
max/=2; 



// ... so reveal odd max seed 

// and step max inwards one seed to left 

// halve min . . . 

// ... and halve max ready for. . . 
// ... next level up round loop 
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CLAIMS 



A method of distributing data comprising: 

(a) encrypting a plurality of data units each with one of a sequence of 



5 keys; 



(b) communicating encrypted data units to a plurality of user terminals; 

(c) communicating at least one seed value to a user terminal; 

(d) generating from the seed value or values a sequence of keys greater in 
number than the number of seed values communicated to the user terminal; and 

0 (e) decrypting data units at the user terminal using the said sequence of 

keys, characterised in that in step (d) a sequence of keys constituting an arbitrarily 
doubly bounded portion of the sequence of keys of step (a) is generated, and in that 
the position in sequence of the lower and upper bounds of the said portion are 
determined by the at least one seed value communicated in step (c). 

5 

2. -A method according to claim 1, in which the sequence of keys used in step 
„(a) is-generated by: - 

(a) operating on one or more initial seed values and generating a greater 
number of intermediate seed values, which intermediate seed values 

O blind the Initial seed values: 

(b) further operating on the values produced by the preceding step and 
generating thereby a still greater number of further values, which further 
values blind the values produced by the preceding step; 

(c) Jterating, ^te|3> J^B). until thie number of values produced is pqual to qr 
5 greater than the number of keys required for step (a). 

3. A method according to claim 1 or 2, in which step (d) includes combining values 
derived from a plurality of different seed values. 



4. A method according to claim 1 or 2 or 3, in which step (d) includes operating on 
a plurality of seed values with each of a plurality of different blinding functions. 
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5. A method according to Claim 4, including: 

(I) operating on at least one root seed value with each of a set of different 
blinding functions thereby producing a plurality of further values; 

(II) operating with each of the set of different blinding functions on the 
further values produced by the preceding step or on values derived therefrom; 

(III) iterating step (II) and thereby producing, by the or each iteration, a next 
successive layer in a tree of values; 

(IV) in step (a), using as the sequence of keys values derived from the 
sequence of seeds in one or more of the layers produced by step (III); and 

(V) in step (c), communicating to a user terminal at least one value from 
within the body of the tree, the position in the tree of the or each value 
communicated to the user terminal thereby determining the position and extent of the 
portion of the sequence of keys available to the user for use in decrypting data units. 

6. A method according to claim 5 including, in step (I) 

(i) operating with the set of different blinding functions on plurality of 
different seed values 

(ii) for each of the different blinding functions, combining the result of 
operating w'rth one blinding function on one of the seed values and the 
result of operating with the same or another blinding function on 
another of the respective seed values, thereby producing a plurality of 
further values. 

7. A method according to claim 3, in which step (d) includes 

(I) combining first and second values derived from respective first and 
second blinding function chains, thereby producing a first next seed or 
key, the first and second' blinding function chains having different 
respective seeds 

(II) combining a value derived from a position in the first chain subsequent 
to the position of the first value and a value derived from a position in 
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the second chain preceding the position of the second value, thereby 
producing a further next seed or key value. 

8. A method according to claim 7, Including iterating step (II) thereby producing 
5 further key values, in each iteration values from positions subsequent to the previous 

position in the first chain and preceding the previous position in the second chain 
being combined. 

9. A method according to any one of the preceding claims in which the seed 
1 0 values are communicated to the user terminals, via a communications network. 

10. A method according to claim 9 in which the seed values are communicated 
from a plurality of key management nodes to customer terminals. 

15 11. A method of encrypting data for distribution comprising: 

(a) operating on at least one root seed value with one or more blinding 
functions, thereby producing a plurality of further values; 

(b) operating.. With one. or more blinding functions on the further values 
produced by'the^precedmg step or on^^ deriWd therefrom; 

20 (c) iterating step (b) and thereby producing, by the or each iteration, a next 

successive layer in a tree of values; 

(d) encrypting a plurality of data units using a sequence of key values 
derived from one or more of the layers generated by step (c). 

25 1 2. A method of communicating data to a group of users comprising: 

(a) encrypting data for distribution; 

(b) systematically and independently of group membership changes 
changing a key used in encrypting the data for distribution; 

(c) communicating the data to the users; and 

30 (d) at the users* terminals decrypting the data, characterised by generating 

from a number of initial seed values a greater number of intermediate seed values, 
and deriving Irpm '^ tlij^^ the i3lurality of keys used' in 

encrypting the data for distribution/ 
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13. A method according to claim 12, in. which every possible sub-set of the 
sequence of keys is derivable from a respective combination of seed values. 

14. A method according to any of the preceding claims, in which each encrypted 
data unit carries an unencrypted index number to identify to any receiver which key 
in the sequence should be used to decrypt that data unit. 

15. A method according to any of claims 1 to 14 where the seeds required by any 
receiver to construct the keys for a specific sub-range of the entire key 
sequence are communicated in an order that implicitly identifies each seed. 

16. A method according to any of the preceding claims, in which multiple data 
senders use the same sequence of keys as each other to encrypt the same or 
different data units. 

17. A method according to any of the preceding claims. In which each key in the 
sequence generated from the seeds is used as an intermediate key to be combined 
with another intermediate key or sequence of keys to produce a sequence of keys to 
encrypt or decrypt the data units. 

18. A method of distributing data comprising encrypting a plurality of data units 
each with one of a sequence of keys and communicating the encrypted data units to 
a plurality of user terminals, characterised in that the sequence of keys is generated 
and allocated to application data units in accordance with a key construction 
algorithm, and in that copies of the key construction algorithm are distributed to a 
plurality of key managers so that, in use, receivers may obtain keys for access to an 
arbitrary portion of the data from a key manager without reference to any data 
sender or senders. 

19. A method of operating a user terminal comprising: 

a) receiving a plurality of data units encrypted with a sequence of 
keys; 
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b) receiving one or more seed values; 

c) generating from the one or more seed values an arbitrarily doubly 
bounded key sequence larger in number than the number of seeds 
received in step (b); and 

5 d) decrypting the application data units using the values generated in 

step (c) or ' values derived therefrom. 

20. A key manager arranged to operate by method in accordance with claim 1 8. 

10 

21. A customer terminal arranged to operate by a method in accordance with 
claim 1 9. 

22. A communications network arranged to operate by method In accordance 
1 5 with any one of claims 1 to 1 9. 



23. A network according, to claim 22, in which, the . data is distributed using a 
multicast or broadcast transmission mode. 

20 24. A network according to claim 22 or 23, in which the network includes a 
virtual private network (VPN) and in which different combinations of seeds for 
constructing different sub-ranges of keys for decrypting data give members of the 
virtual private network different periods of access to the VPN. 

25 25. A data' earner' ihclu^^^ a^ plurality of dati units encrypted for use in a 
method according to any one of claims 1 to 1 9. 
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' ^ ABSTRACT 

DATA DISTRIBUTION 

In a data distribution system, data is divided into a number of application data 
units. A sequence of keys is generated systematically, and a different key is used to 
encrypt each data unit at the source. At the receivers, corresponding keys are 
generated and used to decrypt the data units to gain access to the data. The 
constructions used to generate the keys are such that an intrinsically limited subset 
of the entire sequence of keys is made available to the user by communicating a 
selected combination of one or more seed values. 
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